fix: Withings review follow-up (security + data correctness)

[marian001]

This PR follows up on feedback from #96 and implements the requested Withings fixes while keeping the existing biometrics UX work intact.

References:

• Prior PR: feat: Withings weight sync + dedicated Biometrics category UX #96
• Review: feat: Withings weight sync + dedicated Biometrics category UX #96 (review)

What changed

Security

1. Encrypt Withings credentials/tokens at rest

• Added withings_* keys to sensitive storage patterns in js/crypto.js
• Switched Withings config persistence to encryptedSetItem / encryptedGetItem
• Added initWithings() and call during startup to hydrate cached encrypted config before OAuth callback handling

2. Remove access token from query string

• Withings measure API now uses Authorization: Bearer <token> header
• access_token query parameter removed

3. Use cryptographically secure OAuth state

• Replaced Math.random() state generation with crypto.getRandomValues()

4. Server-side measurement filter

• Added meastype=1 to request only weight from Withings API

Functional/data fixes

5. Fix inverted delete/edit filter logic

• In js/biometrics-view.js, corrected weight row filtering so manual rows are preserved and Withings rows are the ones targeted when needed

6. Store Withings weight as raw kg

• Withings sync now stores weight in canonical form: unit: 'kg'
• Unit conversion remains a display concern in biometrics rendering

Minor consistency updates

• Updated Withings settings copy to reflect canonical kg storage
• Made saveWithingsCredentials() async to await encrypted save path

Files changed

• js/withings-weight.js
• js/crypto.js
• js/main.js
• js/biometrics-view.js
• js/settings.js

Notes

• This intentionally does not introduce the broader wearable adapter framework yet; it is scoped to the review fixes requested on feat: Withings weight sync + dedicated Biometrics category UX #96.

[vercel]

@marian001 is attempting to deploy a commit to the elkimek's projects Team on Vercel.

A member of the Team first needs to authorize it.

[elkimek]

Alright, I dust off my Oura, give me a week or two, I'll gather some data and do the wearables system properly then we can plug in Withings and others.